How to make key generators? 


I take no responsibility of the usage of this information. 
This tutorial, is for educational knowledge ONLY. 


Hi there, in this tutorial, I intend to teach you how to make a pretty 
simple keygen, of a program called W3Filer 32 V1.1.3. 

W3Filer is a pretty good web downloader... 

I guess some of you might know the program. 


`l1l assume you know: 

-How to use debugger (in this case, SoftIce). 

-How to crack, generally (finding protection routines,patching them,etc...). 
-How to use Disassembler (This knowledge can help). 

-Assembly. 

-How to code in Turbo Pascal (tm). 
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Tools you'll need: 

A.SoftIce 3.00/01 or newer. 

B.WD32Asm. (Not a must). 

C.The program W3Filer V1.13 (if not provided in this package), can be found in 
www.windows95.com I believe. 

D.Turbo Pascal (ANY version). 


Well, enough blah blah, let's go cracking... 

Run W3Filer 32. 

A nag screen pops, and , demands registration (Hmm, this sux ;-)) Now, 

We notice this program has some kind of serial number (Mine is 873977046), 
Let's keep the serial in mind, I bet we`ll meet it again while we're on 
the debugger. 


Well, now, let's put your name and a dummy reg code... 

set a BP on GetDlgItemTextA, and, press OK. 

We pop inside GetDlgItemTextA, Lets find the registration routine... 
Id 


save you the work, the registration routine is this: 


:00404DB2 8D95A8FAFFFF lea edx, dword ptr [ebpt+FFFFFAA8 ] 

:00404DB8 52 push edx —--> Your user name here. 

:00404DB9 E80B550000 call 0040A2C9 —--> Registration routine. 

:00404DBE 83C408 add esp, 00000008 ---> Dunno exactly what is it. 

:00404DC1 85C0 test eax, eax ---> Boolean identifier, 0 if 

:00404DC3 7D17 jge 00404DDC ---> registration failed, 1 if 
OK. 


Well, Let's enter the CALL 40A2C9, and see what's inside it: 
(Please read my comments in the code). 


* Referenced by a CALL at Addresses: 
|:00404DB9 , :00407F76 


:0040A2C9 55 push ebp 
:0040A2CA 8BEC mov ebp, esp 
:0040A2CC 81C4BOFEFFFF add esp, FFFFFEBO 
:0040A2D2 53 push ebx 


:0040A2D3 56 push esi 


:0040A2D4 57 push edi 
:0040A2D5 8B5508 mov edx, dword ptr [ebp+08] 
:0040A2D8 8DB500FFFFFF lea esi, dword ptr [ebptFFFFFFO00] 
:0040A2DE 33C0 xor eax, eax 
:0040A2E0 EB16 jmp 0040A2F8 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
| :0040A2FB (C) 
:0040A2E2 OFBEOA movsx ecx, byte ptr [edx] ----> Here Starts the 
interesting part. 
:0040A2E5 83F920 cmp ecx, 00000020 ----> ECX is the the current 
char in the user name, Hmm, 20h=' '... 
:0040A2E8 740D je 0040A2F7 ----> Let's see, 
:0040A2EA 8A0A mov cl, byte ptr [edx] ----> Generally, all this loop 
does, is copying 
the user name from 
[EDX], to [ESI], WITHOUT the spaces! 
(Keep this in mind! ). 

:0040A2EC 880C06 mov byte ptr [esiteax], cl 
:0040A2EF 42 inc edx 
:0040A2F0 40 inc eax 
:0040A2F1 C6040600 mov byte ptr [esiteax], 00 
:0040A2F5 EB01 jmp 0040A2F8 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
| : OO40A2E8 (C) 
:0040A2F7 42 inc edx 
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 
|:0040A2E0(U), :0040A2F5 (U) 
:0040A2F8 803A00 cmp byte ptr [edx], 00 
:0040A2FB 75E5 jne 0040A2E2 > This is the loop , we got 
what it does, 

Let's continue tracing 
the code... 
:0040A2FD 56 push esi —— -------- > The user name is pushed, in order 
to 

Upcase it's chars. 

* Reference To: USER32.CharUpperA, Ord:0000h 
:0040A2FE E80F330000 Call User!CharUpper ---> After this, our name is in 
upper case. 
:0040A303 56 push esi  ----- > Our name in upper case here. 
* Reference To: cw3220mt._strlen, Ord:0000h 


:0040A4304 
:00404A4309 
:0040A30A 
:0040A30C 
:0040A30F 
:0040A311 
:0040A314 


E86F300000 
59 

8BC8 
83F904 
7D05 
83C8FF 
EB67 


* Referenced by a (U)nconditional 


Call 0040D378 ---> This is the length of our name. 


pop ecx 
mov ecx, eax ---> ECX=Length. 

cmp ecx, 00000004 ---> Length>=4 (MUST). 

jge 0040A316 -—--> Let's go to this address... 
or eax, FFFFFFFF 


jmp 0040A37D 


or (C)onditional Jump at Address: 


| : 0040A30F (C) 


:0040A316 33D2 xor edx, edx 

:0040A318 33C0 xor eax, eax 

:0040A31A 3BC8 cmp ecx, eax 

:0040A31C 7E17 jle 0040A335 ---> (Not important, just another useless 
checking). 

============ FROM HERE AND ON, THE IMPORTANT CODE, PAY ATTENTION ================== 

One thing before we continue, EDX = 00000000h as we enter to the next instructions. 


* Referenced by a (U)nconditional or 


(C)onditional Jump at Address: 


+eax] ---> EBX <--- char in user 
it shl's the char by O3h... 
+eax] ---> Now EDI <--- Char in 
t multiplies the char by the 
dds the result to EBX (That was 
DX=EDX+EBX!!! - This is the CORE 
ncrease EAX by one (next char). 


ECX<EAX then, we leave the 


6720] ---> HMMMMMM, What's in 


WAIT! R 


Please type in SIce 
Does this number in EAX look 


If you still don’t understand, 


our SERIAL NUMBER! (PLEASE, take 
yourself - don’t trust me!). OK, 
That it SHR's EAX by 03 (SAR is 


it adds the result from the 


(At this point, I 


EDX - only that the reg number 


| :0040A333 (C) 
:0040A31E OFBE1C06 movsx ebx, byte ptr [esi 
name, offset EAX. 
:0040A322 C1E303 shl ebx, 03 ----- > Hmm, 
(Remember that). 
:0040A325 OFBE3C06 movsx edi, byte ptr [esi 
user name , offset EAX. 
:0040A329 OFAFF8 imul edi, eax —----- > I 
offset in user name! (Remember that). 
:0040A32C 03DF add ebx, edi — ----- > A 
Shelled (Ding Dong =)). 
:0040A32E 03D3 add edx, ebx  ----- > E 
of this registration routine!!! 
:0040A330 40 inc eax == ——-—- > I 
:0040A331 3BC8 cmp ecx, eax 
:0040A333 7FE9 jg 0040A31E ----> If 
loop. 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
| :0040A31C (C) 
:0040A335 A120674100 mov eax, dword ptr [0041 
here????? 
:0040A33A C1F803 sar eax, 03 —--------- > 
EAX' 
familiar to us? ;-) 
than, It's 
your time, and check by 
so now we know, 
almost identical to SHR). 
:0040A33D 03D0 add edx, eax --------- > 
loop, the serial number shr'd by 03h 
:0040A33F 52 push edx —— ------- > Le 
can tell you , the reg number, is 

in 
is in HEX --> That's how you enter it). 
* Possible StringData Ref from Data Obj ->"%1x" 


:0040A340 685EF54000 
:0040A345 8D95BOFEFFFF 
:0040A34B 52 


* Reference To: USER32.wsprintfA, 


:0040A34C E8E5320000 


push 0040F55E 
lea edx, dword ptr [ebpt+FFFFFEBO] 
push edx 


E 


Ord:0000h 


Call 0040D636 ------- > This one, does 


the value from EDX, and turns it to an hex string). 


:0040A351 83C40C 
:0040A354 8D8DBOFEFFFF 


add esp, 0000000C 
lea ecx, dword ptr [ebptFFFFFEBO] ----- 


THIS is the reg number! That's enough for us, the rest of 


just for comparing the correct reg code with ours. 


:0040A35A 51 


* Reference To: USER32.CharLowerA, 


:0040A35B E8B8320000 
:0040A360 8D85BOFEFFFF 
:0040A366 50 

:0040A367 FF750C 


* Reference To: cw3220mt._strcmp, 


:0040A36A E875300000 
:0040A36F 83C408 
:0040A372 85C0 
:0040A374 7405 
:0040A376 83C8FF 
:0040A379 EBO2 


* Referenced by a (U)nconditional 
| :0040A374 (C) 


:0040A37B 33C0 


* Referenced by a (U)nconditional 
|:0040A314(U), :0040A379 (U) 

| 

:0040A37D 5F 

:0040A37E 5E 

:0040A37F 5B 

:0040A380 8BE5 

:0040A382 5D 

:0040A383 C3 


Making the actual Ke 


Now, after I've explained how does 
code, you can either write your ow 
look at my code (in Turbo Pascal - 


That's it, here's the source of my 


push ecx 


Ord:0000h 
Call 0040D618 
lea eax, dword ptr [ebptFFFFF 
push eax 
push [ebp+0C] 


(zal 
wW 
a 


Ord:0000h 

| 

Call 0040D3E4 

add esp, 00000008 
test eax, eax 

je 0040A37B 

or eax, FFFFFFFF 
jmp 0040A37D 


or (C)onditional Jump at Address: 


xor eax, eax 


or (C)onditional Jump at Addresses: 


pop edi 

pop esi 

pop ebx 

mov esp, ebp 
pop ebp 

ret 


ygen 


the program calculate the registration 
n keymaker, without looking at my code, 


HEX2STR (Takes 


the code, 


or 


sorry for all you C lovers ;-) Next time). 


keygen: 


Cut here 


Program W3FilerKeygen; 
var 


is 


Key, SerialNum, EB, ED, digit:Longint; 


I,x:Byte; 
Name, KeyHex: String; 

begin 
Writeln(' W3Filer32 V1.1.3 Keymaker'); 
writeln('Cracked by *pain* ''97 / Rebels!"'); 
Write('Your Name:'); { Read the name } 
readin (Name); 
Write('Serial Number:'); 
readln(SerialNum) ; {Yes, we need the serial number for the calculation! } 
Key:=0; 
x:=0; 
For I:=1 to length (Name) do 
begin 

Name [I] :=upcase(Name[i]); 

If Name[I]<>' ' then begin 
eb:=ord(Name[I]) shl 3; {EB = Name[I] Shl 03h} 
Ed:=ord(Name[I]); {ED = Name[TI] } 
ed:=ed* (x); {ED=ED*Offset} 
inc (x); 
eb:=ebted; {Add ED to EB} 
Key: =Key+EB; {Add EB to KEY} 

end; 

end; 


Key:=Key+(SerialNum shr 3); { Add SerialNum shr 03h to Key} 


{ From here, this is just HEX2STRING --> I’m quite sure it's 


Self explaintory, else - go and learn number bases again! ;-) } 
KeyHex:=''; 
repeat 


digit:=Key mod 16; 
key:=key div 16; 
If digit<10 then KeyHex:=Chr (Digittord('0'))+KeyHex; 
If digit>10 then KeyHex:=Chr (Digit-10+ord('a"'))+KeyHex; 
until key=0; 
writeln('Your Key:',KeyHex) ; 
writeln(' Enjoy!'); 
end. 


Cut here 


This tutorial was written by ^pain^ / [mEXELiTE '97], Hope you enjoyed 
reading it, I’m always trying to improve my writing skills =). 


Hmm, I'd like to greet the following: (No special order) 


Blast Soft, Teraphy, JOb, Qapla, +ORC,Fravia, Charley, GhostRdr, Odin, kKOUGER 
Niabi,Acpizer,Klagosong,Mystic Rioter, rANDOM, riDDLER (Come back man! 

we NEED ya),yoshi, JosephCo, Leddy, Krazy_N, Vizion, Gunnar_,Volcanic, 
Fant0m, Caruso, |PSA|,razzi,ThePharao, |KAIRN| + Everyone in #cracking & in 
#cracking4newbies, And ofcourse - everyone else I forgot. ;) 


SS ee oe eS Signing off - ^pain^ 


